The electric grid is more cyber vulnerable than has been acknowledged

Feb. 19, 2016

George Cotter (formerly Chief Scientist for the National Security Agency) and I briefed the FERC Commissioners on cyber threats and cyber incidents affecting the grid.  The cyber security regulations fail to include a requirement that utilities (or nuclear plants) remove malware found in their networks.  

February 9, 2016: NERC issued an alert titled, “Mitigating Adversarial Manipulation of Industrial Control System as Evidenced by Recent International Events.” Also on February 9: The Obama administration announced its Cybersecurity National Action Plan.  Writing on behalf of the Plan in a Wall Street Journal op-ed opinion, the President characterized cyber threats as an “urgent danger” to our economic and national security and stated that adversaries are probing for vulnerabilities in the networks controlling our power grid.

January 28-29, 2016: George Cotter (formerly Chief Scientist for the National Security Agency) and I briefed the FERC Commissioners on cyber threats and cyber incidents affecting the grid.  The briefing slides, which are part of the FERC public record (Docket RM15-14-000), are available at Exercise of FERC Authority for Cybersecurity of the North American Electric Grid.

One matter we flagged for the Commissioners was a glaring omission in cyber security regulations for the electric utilities (NERC CIPs) and the nuclear utilities (Regulatory Guide 5.71/NEI-0809). These regulations fail to include a requirement that utilities (or nuclear plants) remove malware found in their networks.  This is astounding, considering that BlackEnergy—malware which almost certainly facilitated the recent cyber attacks on the Ukrainian electric grid— has also been found in the US electric grid.  This hole in the regulations certainly won’t help utilities’ prospects in the cyber insurance market.

I will speak about industrial control system (ICS) cyber security issues including regulatory deficiencies and cyber insurance considerations in keynote addresses to the National Academy of Science, Engineering, and Medicine (February 23, in Washington, D.C) and to the Business Insurance Risk Conference (March 23, in New York).

Joe Weiss

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Manufacturing Marvels Highlights Why EZAutomation Is a Force to Be Reckoned With

Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...